20 Questions to Ask When Reviewing Contracts with Generative AI Vendors

KEY TAKEAWAYS:

• From the face of the agreement, it is not always apparent whether a vendor’s products or services involve generative AI.
• Attorneys and contracts professionals should ask important questions to issue spot for generative AI components and assess the risk level.
• Laws, regulations, and industry standards with respect to generative AI offerings are changing quickly, requiring ongoing training for Legal, Procurement, and Business groups.

Generative AI and other forms of machine learning raise new and often weird issues for contract drafters. They’re software contracts, but with unusual concerns related to intellectual property, liability, privacy, and more.

As a buy-side in-house attorney, I am seeing more and more contracts with vendors who offer generative AI (“genAI”) products or services or whose products and services rely on some sort of genAI. Contracts with genAI vendors require a deeper layer of contract review to assess and address the special set of risks involved.

Learn more: Join the LinkedIn conversation >> here.

Spotting GenAI in Contracts

Probably not. From the face of the agreement, it is not always apparent whether a vendor’s products or services involve genAI. That’s because this is still a relatively new space. Laws, regulations, and contractual clauses are still under development. Contract templates have likely not been updated to include or expressly exclude the use of Customer data for AI training purposes. Therefore, it is particularly important to issue-spot before diving into the contract. Check with your internal client or directly with the vendor whether genAI is involved and, if so, the details around it.

Initial Questions to Ask When Reviewing a Contract with a GenAI Vendor

Here are some initial questions you can ask to better understand the involvement (if any) of genAI in the engagement.

1. What aspect of the product or service offering relies on genAI?
2. Is the use of genAI required or optional?
3. What input is required from the customer (e.g., confidential information, personal or sensitive data, etc.)?
4. What is the output being provided by the genAI?
5. Is the customer relying on the output as-is or ingesting the output to create something else?
6. How accurate is the output? How accurate does the customer need the output to be?
7. Is the vendor willing to stand behind the output in reps and warranties, indemnification, or limitation of liability claims?
8. Who or what trained the genAI?
9. Is the customer expected to help train the vendor’s genAI with the customer’s data?
10. If so, what kind of customer data is needed for the training?
11. If so, how is the customer data aggregated and anonymized? Is it co-mingled with that of other customers or logically separated? Is it pushed back to an AI vendor?
12. How long until the customer’s data is no longer in the genAI model? How often are the models updated?
13. What happens if the tool can no longer be supported (either for regulatory reasons or they lose a license to the underlying models)?
14. What kind of indemnification protections do I have?
15. Who owns the input? Who owns the output?
16. If the vendor owns the output but the customer wants to use the output, what are the usage rights and restrictions?
17. If the tool or models are customizable, who owns those improvements, and are they used to better the tool for other customers?
18. How is feedback data defined and who owns it?
19. Are the genAI components owned or licensed by the vendor? If licensed, what are the underlying license terms between the vendor and genAI subcontractor concerning the ownership and/or use of data processed by the tool?
20. Is the genAI tested to detect or avoid bias and/or hallucinations?

Learn more: Register for upcoming webinar on Contracts for Generative AI >> here.

Ways to Mitigate Risks Presented by GenAI Vendors

Once you have an understanding of how genAI is involved in the deal, identify and create risk mitigations throughout the operative agreement to address those specific risks. Here are a few examples:

• Expressly state that the vendor cannot use genAI to provide the product or services to the customer unless the customer expressly consents to such.
• Define “Customer Data” and how it can and cannot be used as feedback or training data. David Tollen, Founder of The Tech Contracts Academy, explains why customers should not grant feedback licenses or assignments.
• Clearly state who owns the input and who owns the output, as well as related usage rights.
• Seek warranties and disclaimers related to how the genAI functions.
• The vendor should indemnify the customer for intellectual property infringement claims (and other third-party claims) related to the vendor’s genAI offerings.

There are other ways, in addition to contractual, to mitigate the risks presented by working with genAI vendors. Here are a few examples:

• Internal training: Your internal Legal, Procurement, and Business groups should be properly trained on understanding, spotting, and addressing genAI and related issues. In addition, users should be trained on how to filter customer data input provided to the vendor so that it does not contain customer’s confidential information or sensitive or personal data (where possible).
• AI policy: Make sure your organization has an AI policy in place to address the use of AI and genAI by employees and personnel. Shannon Yavorsky, Privacy, AI, and Cyber Partner at Orrick, offers clients a GenAI Policy Builder assessment and tool to get started.
• Vendor selection process: Working with inexperienced vendors heightens the risk profile of any deal. To reduce the risk, ensure that any new vendors selected have been appropriately vetted for their experience and handling of genAI. Ask the tough questions upfront.

Learn More About GenAI Contracts

To learn more about reviewing and negotiating contracts with generative AI components, join the free webinar hosted by Contract Nerds on May 16^th with David Tollen, Shannon Yavorsky, and Nada Alnajafi. *Live attendees can receive CLE credit in approved jurisdictions.

What you’ll learn:

✔️ How to address ownership and control of data input into AI systems.

✔️ The indemnities typically offered by AI vendors and the logic behind them.

✔️ The trade secrets and risks posed by generative AI.